req.session.user is deleted while user is active
up vote
2
down vote
favorite
I set the session timeout to 30 minutes. While I am still active, req.session.user
is deleted after 30 minutes. However, the session is still alive. Here's my config (i'm using express-session and passport.js):
app.use(session({
store: new RedisStore(options),
secret: <some_secret>,
resave: false,
saveUninitialized: false,
cookie: {maxAge: 1800000}
}));
app.use(passport.initialize());
app.use(passport.session());
// Are these serializer/deserializer needed?
passport.serializeUser((user, done) => {
done(null, user);
});
passport.deserializeUser((user, done) => {
done(null, user);
});
In login:
router.post('/login', (req, res, next) => {
passport.authenticate('ldapauth', {session: false}, (err, user, info) => {
...
if (user) {
req.session.user = {email: req.body.username};
}
next();
})(req, res);
});
The verify code is like this:
isLoggedIn() {
if (req.session && req.session.user) {
return true;
}
return false;
}
I set the req.session.user
to some object after I successfully logged in.
So, after 30 minutes, req.session.user
is deleted, but req.session
is still there and keeps on incrementing the expiry date since I am still actively working on the page.
Why is req.session.user
deleted after 30 minutes? I thought passport rides on the session by express?
node.js passport.js
This question has an open bounty worth +50
reputation from iPhoneJavaDev ending in 4 days.
Looking for an answer drawing from credible and/or official sources.
add a comment |
up vote
2
down vote
favorite
I set the session timeout to 30 minutes. While I am still active, req.session.user
is deleted after 30 minutes. However, the session is still alive. Here's my config (i'm using express-session and passport.js):
app.use(session({
store: new RedisStore(options),
secret: <some_secret>,
resave: false,
saveUninitialized: false,
cookie: {maxAge: 1800000}
}));
app.use(passport.initialize());
app.use(passport.session());
// Are these serializer/deserializer needed?
passport.serializeUser((user, done) => {
done(null, user);
});
passport.deserializeUser((user, done) => {
done(null, user);
});
In login:
router.post('/login', (req, res, next) => {
passport.authenticate('ldapauth', {session: false}, (err, user, info) => {
...
if (user) {
req.session.user = {email: req.body.username};
}
next();
})(req, res);
});
The verify code is like this:
isLoggedIn() {
if (req.session && req.session.user) {
return true;
}
return false;
}
I set the req.session.user
to some object after I successfully logged in.
So, after 30 minutes, req.session.user
is deleted, but req.session
is still there and keeps on incrementing the expiry date since I am still actively working on the page.
Why is req.session.user
deleted after 30 minutes? I thought passport rides on the session by express?
node.js passport.js
This question has an open bounty worth +50
reputation from iPhoneJavaDev ending in 4 days.
Looking for an answer drawing from credible and/or official sources.
Please post the redis options. I suspect you set the expiration on the data.
– niry
2 days ago
I didn't set any expiration on Redis. In the options i only provide the client to connect to. Besides, even when i encountered the timeout, the session id remains in redis.
– iPhoneJavaDev
2 days ago
Just to clarify, with "encountered the timeout", I mean the req.session.user that I set got deleted after 30 minutes of still being active. I'm thinking there's something going on with passport, maybe, i'm not sure.
– iPhoneJavaDev
2 days ago
add a comment |
up vote
2
down vote
favorite
up vote
2
down vote
favorite
I set the session timeout to 30 minutes. While I am still active, req.session.user
is deleted after 30 minutes. However, the session is still alive. Here's my config (i'm using express-session and passport.js):
app.use(session({
store: new RedisStore(options),
secret: <some_secret>,
resave: false,
saveUninitialized: false,
cookie: {maxAge: 1800000}
}));
app.use(passport.initialize());
app.use(passport.session());
// Are these serializer/deserializer needed?
passport.serializeUser((user, done) => {
done(null, user);
});
passport.deserializeUser((user, done) => {
done(null, user);
});
In login:
router.post('/login', (req, res, next) => {
passport.authenticate('ldapauth', {session: false}, (err, user, info) => {
...
if (user) {
req.session.user = {email: req.body.username};
}
next();
})(req, res);
});
The verify code is like this:
isLoggedIn() {
if (req.session && req.session.user) {
return true;
}
return false;
}
I set the req.session.user
to some object after I successfully logged in.
So, after 30 minutes, req.session.user
is deleted, but req.session
is still there and keeps on incrementing the expiry date since I am still actively working on the page.
Why is req.session.user
deleted after 30 minutes? I thought passport rides on the session by express?
node.js passport.js
I set the session timeout to 30 minutes. While I am still active, req.session.user
is deleted after 30 minutes. However, the session is still alive. Here's my config (i'm using express-session and passport.js):
app.use(session({
store: new RedisStore(options),
secret: <some_secret>,
resave: false,
saveUninitialized: false,
cookie: {maxAge: 1800000}
}));
app.use(passport.initialize());
app.use(passport.session());
// Are these serializer/deserializer needed?
passport.serializeUser((user, done) => {
done(null, user);
});
passport.deserializeUser((user, done) => {
done(null, user);
});
In login:
router.post('/login', (req, res, next) => {
passport.authenticate('ldapauth', {session: false}, (err, user, info) => {
...
if (user) {
req.session.user = {email: req.body.username};
}
next();
})(req, res);
});
The verify code is like this:
isLoggedIn() {
if (req.session && req.session.user) {
return true;
}
return false;
}
I set the req.session.user
to some object after I successfully logged in.
So, after 30 minutes, req.session.user
is deleted, but req.session
is still there and keeps on incrementing the expiry date since I am still actively working on the page.
Why is req.session.user
deleted after 30 minutes? I thought passport rides on the session by express?
node.js passport.js
node.js passport.js
edited Nov 9 at 1:46
Community♦
11
11
asked Nov 8 at 9:34
iPhoneJavaDev
2202730
2202730
This question has an open bounty worth +50
reputation from iPhoneJavaDev ending in 4 days.
Looking for an answer drawing from credible and/or official sources.
This question has an open bounty worth +50
reputation from iPhoneJavaDev ending in 4 days.
Looking for an answer drawing from credible and/or official sources.
Please post the redis options. I suspect you set the expiration on the data.
– niry
2 days ago
I didn't set any expiration on Redis. In the options i only provide the client to connect to. Besides, even when i encountered the timeout, the session id remains in redis.
– iPhoneJavaDev
2 days ago
Just to clarify, with "encountered the timeout", I mean the req.session.user that I set got deleted after 30 minutes of still being active. I'm thinking there's something going on with passport, maybe, i'm not sure.
– iPhoneJavaDev
2 days ago
add a comment |
Please post the redis options. I suspect you set the expiration on the data.
– niry
2 days ago
I didn't set any expiration on Redis. In the options i only provide the client to connect to. Besides, even when i encountered the timeout, the session id remains in redis.
– iPhoneJavaDev
2 days ago
Just to clarify, with "encountered the timeout", I mean the req.session.user that I set got deleted after 30 minutes of still being active. I'm thinking there's something going on with passport, maybe, i'm not sure.
– iPhoneJavaDev
2 days ago
Please post the redis options. I suspect you set the expiration on the data.
– niry
2 days ago
Please post the redis options. I suspect you set the expiration on the data.
– niry
2 days ago
I didn't set any expiration on Redis. In the options i only provide the client to connect to. Besides, even when i encountered the timeout, the session id remains in redis.
– iPhoneJavaDev
2 days ago
I didn't set any expiration on Redis. In the options i only provide the client to connect to. Besides, even when i encountered the timeout, the session id remains in redis.
– iPhoneJavaDev
2 days ago
Just to clarify, with "encountered the timeout", I mean the req.session.user that I set got deleted after 30 minutes of still being active. I'm thinking there's something going on with passport, maybe, i'm not sure.
– iPhoneJavaDev
2 days ago
Just to clarify, with "encountered the timeout", I mean the req.session.user that I set got deleted after 30 minutes of still being active. I'm thinking there's something going on with passport, maybe, i'm not sure.
– iPhoneJavaDev
2 days ago
add a comment |
1 Answer
1
active
oldest
votes
up vote
-1
down vote
From: https://www.npmjs.com/package/connect-redis
ttl Redis session TTL (expiration) in seconds. Defaults to
session.cookie.maxAge (if set), or one day. This may also be set to a
function of the form (store, sess, sessionID) => number.
You can avoid deleting keys by setting disableTTL:
disableTTL Disables setting TTL, keys will stay in redis until evicted
by other means (overides ttl)
I'm not sure about this as the sessionId remains in redis after the req.session.user got deleted.
– iPhoneJavaDev
2 days ago
Did you try actually it?
– niry
yesterday
At first, I didn't try it cause I think it's not related. Redis only stores the sessionId with keysess:<sessionId>
. That's all. I think that's express-session's behavior, to store only the sessionId. So I don't think disabling TTL will do anything asreq.session.user
is not saved in redis. But then, I still try. I addedstore: new RedisStore({client: <myredisclient>, disableTTL: true}),
. As expected, the same behavior. Because it's not related to req.session.user that I am setting.
– iPhoneJavaDev
yesterday
add a comment |
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
-1
down vote
From: https://www.npmjs.com/package/connect-redis
ttl Redis session TTL (expiration) in seconds. Defaults to
session.cookie.maxAge (if set), or one day. This may also be set to a
function of the form (store, sess, sessionID) => number.
You can avoid deleting keys by setting disableTTL:
disableTTL Disables setting TTL, keys will stay in redis until evicted
by other means (overides ttl)
I'm not sure about this as the sessionId remains in redis after the req.session.user got deleted.
– iPhoneJavaDev
2 days ago
Did you try actually it?
– niry
yesterday
At first, I didn't try it cause I think it's not related. Redis only stores the sessionId with keysess:<sessionId>
. That's all. I think that's express-session's behavior, to store only the sessionId. So I don't think disabling TTL will do anything asreq.session.user
is not saved in redis. But then, I still try. I addedstore: new RedisStore({client: <myredisclient>, disableTTL: true}),
. As expected, the same behavior. Because it's not related to req.session.user that I am setting.
– iPhoneJavaDev
yesterday
add a comment |
up vote
-1
down vote
From: https://www.npmjs.com/package/connect-redis
ttl Redis session TTL (expiration) in seconds. Defaults to
session.cookie.maxAge (if set), or one day. This may also be set to a
function of the form (store, sess, sessionID) => number.
You can avoid deleting keys by setting disableTTL:
disableTTL Disables setting TTL, keys will stay in redis until evicted
by other means (overides ttl)
I'm not sure about this as the sessionId remains in redis after the req.session.user got deleted.
– iPhoneJavaDev
2 days ago
Did you try actually it?
– niry
yesterday
At first, I didn't try it cause I think it's not related. Redis only stores the sessionId with keysess:<sessionId>
. That's all. I think that's express-session's behavior, to store only the sessionId. So I don't think disabling TTL will do anything asreq.session.user
is not saved in redis. But then, I still try. I addedstore: new RedisStore({client: <myredisclient>, disableTTL: true}),
. As expected, the same behavior. Because it's not related to req.session.user that I am setting.
– iPhoneJavaDev
yesterday
add a comment |
up vote
-1
down vote
up vote
-1
down vote
From: https://www.npmjs.com/package/connect-redis
ttl Redis session TTL (expiration) in seconds. Defaults to
session.cookie.maxAge (if set), or one day. This may also be set to a
function of the form (store, sess, sessionID) => number.
You can avoid deleting keys by setting disableTTL:
disableTTL Disables setting TTL, keys will stay in redis until evicted
by other means (overides ttl)
From: https://www.npmjs.com/package/connect-redis
ttl Redis session TTL (expiration) in seconds. Defaults to
session.cookie.maxAge (if set), or one day. This may also be set to a
function of the form (store, sess, sessionID) => number.
You can avoid deleting keys by setting disableTTL:
disableTTL Disables setting TTL, keys will stay in redis until evicted
by other means (overides ttl)
answered 2 days ago
niry
1,2991021
1,2991021
I'm not sure about this as the sessionId remains in redis after the req.session.user got deleted.
– iPhoneJavaDev
2 days ago
Did you try actually it?
– niry
yesterday
At first, I didn't try it cause I think it's not related. Redis only stores the sessionId with keysess:<sessionId>
. That's all. I think that's express-session's behavior, to store only the sessionId. So I don't think disabling TTL will do anything asreq.session.user
is not saved in redis. But then, I still try. I addedstore: new RedisStore({client: <myredisclient>, disableTTL: true}),
. As expected, the same behavior. Because it's not related to req.session.user that I am setting.
– iPhoneJavaDev
yesterday
add a comment |
I'm not sure about this as the sessionId remains in redis after the req.session.user got deleted.
– iPhoneJavaDev
2 days ago
Did you try actually it?
– niry
yesterday
At first, I didn't try it cause I think it's not related. Redis only stores the sessionId with keysess:<sessionId>
. That's all. I think that's express-session's behavior, to store only the sessionId. So I don't think disabling TTL will do anything asreq.session.user
is not saved in redis. But then, I still try. I addedstore: new RedisStore({client: <myredisclient>, disableTTL: true}),
. As expected, the same behavior. Because it's not related to req.session.user that I am setting.
– iPhoneJavaDev
yesterday
I'm not sure about this as the sessionId remains in redis after the req.session.user got deleted.
– iPhoneJavaDev
2 days ago
I'm not sure about this as the sessionId remains in redis after the req.session.user got deleted.
– iPhoneJavaDev
2 days ago
Did you try actually it?
– niry
yesterday
Did you try actually it?
– niry
yesterday
At first, I didn't try it cause I think it's not related. Redis only stores the sessionId with key
sess:<sessionId>
. That's all. I think that's express-session's behavior, to store only the sessionId. So I don't think disabling TTL will do anything as req.session.user
is not saved in redis. But then, I still try. I added store: new RedisStore({client: <myredisclient>, disableTTL: true}),
. As expected, the same behavior. Because it's not related to req.session.user that I am setting.– iPhoneJavaDev
yesterday
At first, I didn't try it cause I think it's not related. Redis only stores the sessionId with key
sess:<sessionId>
. That's all. I think that's express-session's behavior, to store only the sessionId. So I don't think disabling TTL will do anything as req.session.user
is not saved in redis. But then, I still try. I added store: new RedisStore({client: <myredisclient>, disableTTL: true}),
. As expected, the same behavior. Because it's not related to req.session.user that I am setting.– iPhoneJavaDev
yesterday
add a comment |
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53204922%2freq-session-user-is-deleted-while-user-is-active%23new-answer', 'question_page');
}
);
Post as a guest
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Please post the redis options. I suspect you set the expiration on the data.
– niry
2 days ago
I didn't set any expiration on Redis. In the options i only provide the client to connect to. Besides, even when i encountered the timeout, the session id remains in redis.
– iPhoneJavaDev
2 days ago
Just to clarify, with "encountered the timeout", I mean the req.session.user that I set got deleted after 30 minutes of still being active. I'm thinking there's something going on with passport, maybe, i'm not sure.
– iPhoneJavaDev
2 days ago